I am trying to configure a site-to-site VPN between a pix and a FW1 box. Any help would be greatly appreciated. The following is a snippet of code that the PDM has created/modified (I tried building my own code from scratch initially with the same problem):
------------------------------------------------------------------------------------------------------
access-list inside_outbound_nat0_acl permit ip 10.130.0.0 255.255.0.0 10.129.14.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.130.0.0 255.255.0.0 10.129.6.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.130.0.0 255.255.0.0 10.129.14.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.130.0.0 255.255.0.0 10.129.6.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set tr-cal esp-3des esp-md5-hmac
crypto dynamic-map crydynmap-cal 10 set transform-set tr-cal
crypto dynamic-map crydynmap-cal 30 set transform-set tr-cal
crypto map crymap-cal 20 ipsec-isakmp
crypto map crymap-cal 20 match address outside_cryptomap_20
crypto map crymap-cal 20 set peer 203.19.225.33
crypto map crymap-cal 20 set transform-set tr-cal
crypto map crymap-cal 65535 ipsec-isakmp dynamic crydynmap-cal
crypto map crymap-cal interface outside
isakmp enable outside
isakmp key ******** address 203.19.225.33 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
--------------------------------------------------------------------------------------------------------
When I ping the remote subnet the vpn tries to initialise but I receive this debug output (debugging isakmp and ipsec):
ISAKMP (0): beginning Main Mode exchange
isakmp_send: isakmp disabled on all interface
ISAKMP (0): retransmitting phase 1 (0)...
isakmp_send: isakmp disabled on all interface
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 203.x.x.x, remote= 203.y.y.y,
local_proxy= 10.x.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.y.y.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1 (1)...
isakmp_send: isakmp disabled on all interface
ISAKMP (0): deleting SA: src 203.x.x.x, dst 203.y.y.y
ISADB: reaper checking SA 0x138a3d4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 203.y.y.y/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 203.x.x.x, remote= 203.y.y.y,
local_proxy= 10.x.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.y.y.0/255.255.255.0/0/0 (type=4)
The original Citrix Guru...
------------------------------------------------------------------------------------------------------
access-list inside_outbound_nat0_acl permit ip 10.130.0.0 255.255.0.0 10.129.14.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.130.0.0 255.255.0.0 10.129.6.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.130.0.0 255.255.0.0 10.129.14.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.130.0.0 255.255.0.0 10.129.6.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set tr-cal esp-3des esp-md5-hmac
crypto dynamic-map crydynmap-cal 10 set transform-set tr-cal
crypto dynamic-map crydynmap-cal 30 set transform-set tr-cal
crypto map crymap-cal 20 ipsec-isakmp
crypto map crymap-cal 20 match address outside_cryptomap_20
crypto map crymap-cal 20 set peer 203.19.225.33
crypto map crymap-cal 20 set transform-set tr-cal
crypto map crymap-cal 65535 ipsec-isakmp dynamic crydynmap-cal
crypto map crymap-cal interface outside
isakmp enable outside
isakmp key ******** address 203.19.225.33 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
--------------------------------------------------------------------------------------------------------
When I ping the remote subnet the vpn tries to initialise but I receive this debug output (debugging isakmp and ipsec):
ISAKMP (0): beginning Main Mode exchange
isakmp_send: isakmp disabled on all interface
ISAKMP (0): retransmitting phase 1 (0)...
isakmp_send: isakmp disabled on all interface
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 203.x.x.x, remote= 203.y.y.y,
local_proxy= 10.x.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.y.y.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 1 (1)...
isakmp_send: isakmp disabled on all interface
ISAKMP (0): deleting SA: src 203.x.x.x, dst 203.y.y.y
ISADB: reaper checking SA 0x138a3d4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 203.y.y.y/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 203.x.x.x, remote= 203.y.y.y,
local_proxy= 10.x.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.y.y.0/255.255.255.0/0/0 (type=4)
The original Citrix Guru...